local mirror, using httpd - a couple of questions...

Discussion in 'NOD32 version 2 Forum' started by webyourbusiness, Apr 8, 2005.

Thread Status:
Not open for further replies.
  1. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    We're setting up another mirror using the administration version - using httpd as an access method (it's the simplest in this rather strange network setup) - a couple of questions arise:

    1. what can't we specify two different ports (or more) for access to the mirror - this would be a very useful feature

    2. the access to update files isn't working as I would expect it to - entering a username and password into the login/password name doesn't stop users without a login/password, on their workstations from being able to access the update files... ie - are these username/password options completely irrelevant on the httpd method? Can we have them added as a wishlist item if so - password access to the update files would be EXTREMELY handy... here's why...

    This network setup has port forwarding on the external router - this allows external sales reps to access the fileserver for AV updates - however, if the IP and port number are compromised, ie, fall into the hands of someone that leaves the company, or they give the information to a friend etc, a LOT of people can use this update server without anyone's knowledge even.

    The easiest way I thought to get round this, was to use the username/password with the httpd access method - but it's not working as I thought it would...

    any help would be great thanks!

    Greg
     
  2. Dakhor

    Dakhor Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    75
    Yes u make a valid point...

    As far as I know the update password on the mirror settings is acctually for esets update servers, that is exactly like the one on the update settings. Maybe its for some kind of fail safe procedure when the yearly change of password occurs. If one dosnt work the other will. I could be wrong though.

    /DaK/
     
  3. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    This actually a flaw in the whole mirror/update system I think...

    there is no way to stop unauthorized users of your update mirror if they have access to the public IP and port is not locked out... there needs to be username/authentication built into this so that you can have SOME control over the nod32 workstations that are able to connect to your update mirror!

    Let me offer up another abuse scenario...

    Company A has it's update mirror on the domain controller, or other PC with a NOD32 update mirror running for internal AND external use - an employee knows the IP and port, and gives these to a bunch of his "friends" - they are all able to enjoy FREE NOD32 updates courtesy of the original licensee (who was using it LEGALLY!)


    The only way I can see round this, is for external machines to have the same Eset update username and password that the mirror uses - which AGAIN opens up the company license to be abused... it's not difficult to look at the username - that's un-encoded, and a tool such as asterisk-key can reveal the asterisked out password... now you have the potential for the valid key to be distributed if the machine is compromised.

    The next logical step is if ALL external machines have their settings password protected.... it's seems like a lot of work on the behalf of the valid licensee to protect the assets of Eset... I'd like to see a simpler method - such as username/password control of your mirror, then username password protection of the settings.

    Anyone else's views?
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Sounds good to me.

    Cheers :D
     
  5. Dakhor

    Dakhor Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    75
    Password protect settings yes -- id like to be able to protect some things but not others... For instance the update settings with the username and password. Nobody needs to be able to mess arround with that even if I wish them to be able to turn off AMON manually.

    /DaK/
     
  6. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    We use plain ol' http: for all of our updates. Don't need a password, just hit the server and thereyago. I only have a single server that goes to Eset to pick up the updates, then 17 more that pick from it, then the users from their servers. I also have remote sales people and other users that pull their updates from their proper servers. Through a VPN. That's all it takes. No VPN connection, you don't get in to see the updates. We don't have to have an exposed update server. Have you considered doing it this way?

    Jack
     
  7. Dakhor

    Dakhor Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    75
    VPN is a bitch with cheap routers etc etc ... Been there done that - Ill never buy a pice of **** linksys product ever again.

    /DaK/
     
  8. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    Sorry, I was looking at it from a corporate standpoint, not a personal/home one.

    Jack
     
  9. Dakhor

    Dakhor Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    75
    Uhh maybe i was a bit short -- wasnt my intention to be bitchy hehe...

    What I meant was that VPN is great for medium to large companies with enough funds and enough "secrets" to warant the installation of propper hardware for VPN...

    For smaller companies its often not worth the hassle, except for certain kinds of small companies or ones in certain specific fields of buissness.

    If i was the one in controll of the company im helping out now id set up things very differently. But the problem is that im not and the one that is knows very little about computer security - next to nothing. And im not gonna set up something that costs them much more money then neccessary.

    And my experience with VPN is that u get what u pay for. Going VPN without buying cheap crap would prob tripple their security budget.

    So update through http remains an issue that needs adressing. Simply implement the option of password requirement. Problem solved...


    /DaK/
     
  10. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    it would be nice to have http update logging of remote IPs at least...

    I have no idea if the correct 3 external machines are using the update mirror, or 30!

    I think the biggest point being, I can throw together an update mirror to be used by my valid licensed users, and it can be EASILY abused by someone who has the address... VPN would be a solution, but why do the clients have to spend money on VPN technology to protect Eset's assets? With a simple router it's possible to use mere port forwarding to enable external staff access to updates, but it's so open to abuse that it's just not funny... oh well, it's not my assets.

    I just pointed out this particular problem - honestly, I think Eset needs to provide a plug for their own hole, not the person buying the software...
     
Thread Status:
Not open for further replies.